One of the more difficult aspects of implementing Identity & Access Management solutions is properly managing the security of a user session after authentication. Traditional systems rely on things like timeout counters to determine when a user has stopped using their computer. Once a timeout occurs, the operating system or application will force a logout to occur.

On even the most cursory review, it is easy to see how this approach is flawed. If the timeout is too long, a malicious user could simply wait until the authorized user has left their computer and take over the session. Typical timeouts are 20 minutes which gives an interloper plenty of time to gain access to a neglected session. Solving this problem by shortening the timeout can cause users to login more frequently, impacting productivity and creating frustration.

The response to this is to train users to logout when they leave their computer unattended. But, this can be inconvenient and unproductive, particularly in demanding environments where time — even a few seconds — is at a premium.

What if a user’s presence in front of a computer could be detected and, when he/she is no longer present, have the session lock automatically? This is the premise behind Viion Systems‘ Sentinal Sign-Off solution.

Using standard web cams the system automatically scans and detects a user’s facial features. Once authenticated, the camera will track those unique features and automatically lock the session when the user is no longer present. Upon the user’s return, the Sentinal software will detect the correct facial image and the session is automatically unlocked.

Viion call this ‘Active Presence and Identification’ technology and it is specifically designed for those situations where highly sensitive data is accessed and where a short timeout configuration would introduce unacceptable inconveniences.

It can also be used in organizations that want to prevent users from sharing a session. For example, two users at a counter service may have one computer to share. In many cases, they will simply leave their session running while a co-worker accesses applications under the first user’s credentials. Obviously, this practice would not be compliant with the security policy at many organizations. The Sentinal Sign-Off system can eliminate this weakness.

It is worth noting that the system does not need to store the facial image or video data. It establishes a link between the session and the individual for as long as the session exists, then discards the data. User privacy concerns should not be an issue with most implementations. (It does have the capability of recording and storing images, but this is not required for the solution to work. The recording of images feature can be used for specific security cases that clients may have.)

I had a demo of Sentinal Sign-Off system last week, and can confirm it operates as advertised. One handy feature is that when it ‘loses sight’ of the user, it will show a countdown. When you return to the field of view, the countdown stops. The demo showed how a Sentinal login screen is displayed after session locking, but the company assures me that it can pop up a Windows or application login screen if required.

Viion’s system isn’t the only method that can be used to meet this business needs. Sonar, proximity devices and pressure mats all offer similar capabilities — but each has its own limitations. For example, sonar cannot distiguish between people and inanimate objects.

Aside from some great user convenience, this looks like a solid session management system for niche business needs. I can see it working well with health services applications, financial systems and certain operations consoles where there is a demand high security while maximizing user convenience.

I have been reading a very cool book by Scott Berkun called The Myths of Innovation. First of all, if you are at all curious about how innovations occur, find $33 (or, a mere $20 if you are shopping in the US… don’t get me started on book prices…) and buy this gem.

In a chapter discussing problems and solutions, he quotes Albert Einstein:

If I had 20 days to solve a problem, I would take 19 days to define it.

The book, and Mr. Einstein, raise an interesting question: do we really know the security and privacy problems we are trying to solve before we rush off to find solutions to them? It seems that many developers of IT security and privacy solutions are guilty of not knowing what the real problems were prior to developing their ‘solutions’.

In the early 1990s I was roped into teaching a continuing ed course on security and viruses, cleverly titled “Security and Viruses”. I cobbled together some notes and read up on IT security for the first time. For the hands-on lab, I managed to capture an Empire virus and grabbed a virus killer program off of a BBS. We infected the lab computers and set to work cleaning them of this nasty thing. Much fun was had…

The point to this retro security tale is that the makers of the virus killer framed the problem as ‘find and destroy the Empire virus’. This was so early in the PC virus wars that they didn’t step back and analyze the problem in its entirety, namely, the real problem was related to preventing the infection and, of course, training users to be more careful with their diskettes.

Are we still guilty of this today? Do we focus on authentication when we should really be paranoid about identity proofing? (Does it matter how well we authenticate a person if we didn’t identify them properly in the first place?)

Do we invest in technology to protect employee and customer privacy when those people will happily cough up the information on their own with the slightest incentive? (Why protect a govenment vital statistics database when the same information is shared on Facebook by millions every day?)

I see a lot of after-the-fact Empire virus killing going on. We are still trying to solve the wrong problems.